Erroneous communication prevention apparatus for electronic mail

ABSTRACT

An electronic mail client includes features for preventing addressing errors in electronic messaging such as those caused by predictive text features. A messaging client tracks addressing parameters including the length of time since each previous addressee has been messaged, the quantity of times selected addressees have been co-addressees on messages, if any, whether the addressees are designated as sensitive and whether the messages contain sensitive subject matter. If a high risk of addressing error is determined, the client delays transmission of the message to permit the user to review the message recipient addresses and correct any erroneous addressees.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation of U.S. patent application Ser. No.12/372,647, filed Feb. 17, 2009, (U.S. Pat. No. 9,560,003 issued Jan.31, 2017), which claims priority pursuant to 35 U.S.C. § 119(e) to U.S.provisional application Ser. No. 61/028,846, filed Feb. 14, 2008, whichapplications are expressly incorporated herein, in their entireties.

BACKGROUND

1. Field

The present disclosure relates to an apparatus for preventingtransmitting of electronic mail or messages to erroneous-selectedrecipients.

2. Description of Related Art

Many programs, both web-based and locally executed, and across platformssuch as personal computers, PDAs and cellular phones, use predictivetext to reduce the number of keystrokes used to identify the addresseeof a communication, Some modalities use voice recognition or otherwiseavoid the use of finger-driven input at all. Predictive text systemsgenerally store lists of past addressees in a database or other memorystructure, and predicted addressees are selected from past addressees onthe list. In the alternative, or in addition, predictive entries may beselected from addressees stored in an electronic address book or thelike belonging the prospective sender of the communication.Notwithstanding the advantages of predictive text, it is subject tocertain disadvantages. With the decreased level of input required toidentify a addressee comes an increased risk of the predictive textidentifying the wrong addressee. If the error is not noticed by thehuman operator addressing the message, the message may be transmitted tothe wrong recipient. Therefore, for users of predictive text features, amessage can be all too easily sent to the wrong recipient, resulting indisrupted communications, confusion, embarrassment, breach ofconfidentiality, or other adverse consequences.

For example, a person who has two contacts in his address book with thesame first name, “John,” may try to email “John Smith.” When the persontypes ‘jo,” the predictive input system may present him with twochoices: “John Adams” and “John Smith.” A simple erroneous flick of thefinger selects “John Adams” instead of “John Smith,” which if notnoticed before the message is sent, may result the email going to thewrong recipient.

Other email addressing functions may also lead to incorrect addresseesbeing added to a message. For example, email clients generally provide a“reply all” functions that automatically addresses an outgoing messagewith all addresses listed as recipients of an incoming message, plus thesender of the incoming message. The user making use of the “reply all”feature may have intended to use a “reply” to sender only function, ormay not notice that one or more of the addressees added by the “replyall” function should not receive the reply. Either way, the replymessage may be transmitted to an unintended addressee. Other addressingerrors may be caused by selecting the wrong message to reply to or justunintentionally selecting the wrong addressee for some other reason.

It would be desirable, therefore, to preserve the function of predictivetext systems in electronic message addressing, and other addressingfeatures, while reducing or eliminating the risk of erroneous addresseeselection that presently arises from the use of such systems. There isno obvious solution to this problem, however, because the speed andconvenience that is the purpose of predictive texting and other featuresis contrary to the purpose of increasing accuracy and reducing risk orerror. It is difficult to conceive of a solution that effectivelysatisfies these diverse and contrary objectives.

SUMMARY

An electronic mail or messaging client may be configured, using suitableclient-side software, firmware, and/or hardware, to determine a level ofrisk for each addressee identified prior to transmission of anelectronic message. If a determined level of risk for an addresseeexceeds a predetermined threshold, the client outputs an alert, such as,for example, a pop-up display message, to alert the sender. Themessaging client may require the sender to confirm that the addressee iscorrect before transmitting the message.

The electronic mail or messaging client may comprise a processoroperatively associated with random-access memory for holding processorinstructions and computational results and input data. The processor mayalso be in communication with a storage device, including a tangiblecomputer-readable medium, for storing software and data for use inoperating the processor. Other components of the client may include anetwork interface enabling the processor to communicate with anelectronic mail or messaging server; a display screen and/or speaker forproviding visible and/or audible output to the user, and an inputdevice, for example, a keyboard, touchscreen, pointing device, and/ormicrophone for receiving tactile and/or audible input. All of theforegoing components may be housed in housing configured in any suitableform factor. For example, the messaging client may be provided in aportable, hand-held form, such as in a palm-top computer or intelligentmobile phone. In the alternative, the messaging client may be providedin the form of a laptop or desktop computer. The messaging client maythus be equipped to transform tactile or audible input into aninteractive display for authoring, addressing, and transmitting anelectronic message. Any electronic message prepared using the messagingclient may be stored in a computer-readable medium and represents atransformation of the tactile and/or audible input received by theelectronic mail client into the form of electronic message data and intoaudible or visible output representing that data.

Further transformation of the data may occur when the electronic messageis transmitted to a recipient mail client. The message may betransferred to and recorded in different storage medium, such as to astorage medium for a mail server, along the transmission path. Headerinformation may be added to the message as one or more nodes along thetransmission path, recording details of the transmission route.Eventually the message may be accessed by a recipient client from alocal or remotely located storage device, causing a visual displayand/or audio output relaying the message to a recipient. All of thesetransformations involve changes in tangible objects that in many casesare essential to the function and purpose of the electronic mail ormessaging system.

Correct addressing is an essential part of the message transformationsequence. Without consistently correct addressing, the electronicmessage system, including the messaging client, has no utility or value.To effectively reduce addressing errors introduced by predictivetexting, the messaging client should be provided with operatinginstructions to effectively detect situations signaling a relativelyhigh risk that an incorrect addressee has been identified, withoutgenerating alerts when the risk is relatively low. This may beaccomplished using a multi-factor analysis of contributing risk factorsprogrammed into the message client or server. The client or server maybe programmed to detect the presence or absence of risk factors, andprocess the factor data using an appropriate algorithm to determine alevel of risk. Exemplary risk factors are described below.

For example, one risk factor may be determined from similarity between aselected address and one or more other addresses in the database usedfor predictive texting. Similarity may be measured using algorithms thatcompare the characters in address strings, the length of the addressstrings, and character positions within the strings. Risk may bedetermined based on a rule, for example, that the likelihood of errorincreases in proportion to the degree of similarity between a selectedaddress and one or more other addresses in the predictive pool.

Another risk factor may be determined from the relative frequency withwhich mail has been sent to a selected address in the past. Verifyinginfrequent addressees may prevent erroneous communication in anelectronic mail client. For example, if a particular address has notbeen a designated address in a message from the mail client within ‘n’days (wherein ‘n’ may be pre-set, may include infinity or may be set bythe user), the client may generate and output a confirmation query,which may contain history data. The confirmation query as displayed onan output device connected to the client may read, for example, for amessage addressed to John Adams: “You haven't sent an email to JohnAdams in 193 days, but emailed John Smith just this morning. Have youselected the right recipient?” The client may generate and display aninput button or box requesting confirmation of “yes” or “no” in responseto the query. In response to receiving “yes” input, the client maytransmit the message. In response to receiving “no” input, the clientmay prevent message transmission to permit the user to correct themessage address.

Another risk factor may be determined from analyzing past patterns ofaddressee groupings. For example, determining and then verifyingunusually paired addressees may prevent inadvertent communication in anelectronic mail client. If addresssees of a multiple-recipient messagehave not been emailed together previously (or for a long predeterminedtime), the messaging client may generate a confirmation message. Theuser may also be asked for confirmation if the addressees have not beenpart of a forwarded or replied-to message to which a non-originaladdressee is added. Such a confirmation message may read, for example:“I notice you are emailing both John Smith and Thomas Jefferson. Youhave never sent both of those recipients the same message. Do you intendto do this?” In addition, the message may suggest alternatives such as“You have, however, frequently emailed Thomas Jefferson and John Adamstogether. Do you really intend to send this to John Smith?”

Another risk factor may be determined from analyzing past addressingpatterns in relation to the day of the week or holidays. For example,business correspondence may be more frequently prepared on weekdays ornon-holidays, while personal correspondence may more frequently occur onweekends or holidays. The client or server may track these associationsand alert the sender if an addressee violates a tendency determined frompast correspondence. For example, during a weekend the client maygenerate a message such as “You don't usually send mail to John Adams ona weekend. Are you sure you don't mean to send this message to JohnSmith?”

Additionally, the messaging client may permit the user to designate“sensitive” recipients or categories of recipients as a way of reducingaddressing risk. For example, any addressee identified in an addressbook as a lawyer may be denoted as sensitive for addressing purposes.The messaging client may be configured to require that any message to anaddressee designated as “sensitive” not be sent without confirmation.For example, the client may generate and output a message such as “Youare attempting to email attorney Jane Hutz. You have asked that anyemail to attorneys be confirmed prior to sending. Please confirm thatyou wish to send this email.” Optionally, messages that are replies toemails from the same user may be excepted from the requirement forconfirmation, as a replay message is less likely to be addressedincorrectly. Such confirmations may also be set on an enterprise level,requiring all employees of Corporation X to verify before sending tolawyers.

In addition, or in the alternative, the messaging client may also beconfigured to support designating “sensitive” information or subjectareas to prevent unintended communication. In the alternative, or inaddition, sensitive terms may be defined by an administrator forsystem-wide use by multiple clients. For example, any email containingthe term “fraud” may be set to require additional confirmation. Suchrequirement may also be implemented only where other criteria are met.For example, a messaging client may generate a confirmation message suchas: “I notice you are emailing attorney Jane Hutz with an emailcontaining the word “fraud.” You have asked for confirmation beforesending such emails. Please confirm that you intend to do this.”

In the alternative, or in addition, the messaging client may beconfigured to hold emails or messages that satisfy designated riskcriteria for a designated period before transmitting. The rule sets thatthe client uses to determine whether or not a message should be held maybe the same or similar to those used to select outgoing messagesrequiring additional verification. Any email matching those criteria maybe held for a specified time prior to sending. For example, any emailsent to a governmental agency (or a “.gov” address) may be held for 60minutes prior to sending. Optionally, the user may be informed of theholding time. The client may be configured to permit the user to changehis or her mind during the holding period, and edit or cancel the emailprior to its delivery.

A more complete understanding of the apparatus and method for reducingaddressing or messaging errors will be afforded to those skilled in theart, as well as a realization of additional advantages and objectsthereof, by a consideration of the following detailed description.Reference will be made to the appended sheets of drawings which willfirst be described briefly.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flow diagram showing exemplary steps of a method forpreventing erroneous electronic messages, such as may be performed usinga suitably configured electronic messaging client.

FIG. 2 is a block diagram illustrating a system for electronicmessaging, including a suitably configured electronic messaging client.

FIG. 3 is a block diagram showing components of an exemplary messagingclient for preventing inadvertent addressing errors.

DETAILED DESCRIPTION

FIG. 1 shows exemplary steps of a method 100 for preventing inadvertentaddressing errors in an electronic mail client. An electronic mail ormessaging client as described herein may be configured to perform method100 by providing executable instructions encoded in a tangiblecomputer-readable medium for use by the client. In the alternative, amessaging server may be similarly configured to perform the method,alone, or in combination with a messaging client. The executableinstructions may be loaded into processor memory whenever the client'selectronic mail or messaging application is operating. These executableinstructions may be integrated into the mail or messaging client,causing the client to perform the described actions in addition to thecustomary functions of an electronic mail or messaging client.

The mail or messaging client may also be configured with instructionsfor predictive texting and other addressing features as known in theart. Predictive texting operates to present a list of past addresseesthat match text input into a addressee address field of a messageediting form. The list is progressively narrowed as more characters areentered into the field. The client may be configured to permit the userto scroll down the list and select a recipient at any time. Althoughconvenient for addressing, this feature may increase the risk oferroneous addressee selection by the user. Another automatic addressingfeature that commonly leads to addressing errors is the “reply all”function, familiar to any user of electronic mail clients. Addressingerrors may be caused in other ways also, and the present invention isnot limited to a specific cause of addressing errors.

At 102, an electronic mail client, such as a client operating on apersonal computer, PDA, mobile telephone, or the like, receives userinput signaling intent to send electronic mail or message to one or moredestinations. This may occur, for example, after the client has beenused to prepare and address a message, which is ready for transmission.Prior to transmitting the electronic mail or message, the clientprocesses each of the addressees designated by the electronic mail ormessage header to assess a risk that the addressee has been erroneouslyselected. In addition, or in the alternative, the client may receiveuser input designating addressee parameters, such as identifying one ormore recipient addresses in a contact as having a “sensitive” status.The client may be configured so that confirmation is required for allrecipient addressees designated as sensitive.

The client may assess risk of error in addressing using a weightedmulti-factor analysis implemented by a programmed analysis algorithm. Ina multifactor analysis, a numerical score may be assigned based onmultiple parameters. These parameters may include, for example, thelength of time since each previous addressee has been emailed, thequantity of times addressees have been sent emails together, if any, thepresence of designated keywords in the message and similarity. Emailparameters may be determined from past message data that is stored,maintained and updated on a local or remote database 105. The client maycompile past message data 104 to develop addressee activity data thatmay also be stored in database 105. For example, each time a message istransmitted from the client, the client may update an activity score foreach recipient addressee of the outgoing message. The activity score mayprovide a measure of the number of times each addressee has been amessage recipient, weighted by a measure of how recent the messageactivity is. Higher activity scores may be assigned for more recentmessage activity. In addition, the compiled data may include a measureof how many non-zero times the addressee has been named as aco-addressee with other addressees in the addressee database. Thisco-addressee activity may also be weighted in a diminishing fashion withage (i.e., older messages receive less weight) and should include anidentifier for the co-addressees for each addressee. For furtherexample, the client may record time-of-day, date, day-of-week, and/orholiday information associated with outgoing message addressees, todevelop addressee chronological data for use in risk analysis.

At 106, the client may compare the addressee parameters of an outgoingmessage to addressee history information stored in the database todetermine a risk that the message includes an addressing error. Thisrisk may be assessed as a numerical score, for example, as an estimatedprobability of error. In a multi-factor analysis, an estimatedprobability of error may be increased or decreased depending on multiplemessage parameters. Over time, error probability estimates may berefined and made more accurate using user feedback to assess acorrelation between message parameter values and actual error rates.However, if such data is not available, an ad hoc estimation of errorprobability may also be useful, with an objective not indentifying somesubset of outgoing messages having a relatively high risk of addressingerror in comparison to other outgoing messages from the client. Certainfactors may be used to indicate a higher probability of error: (1)addressee has not been recently selected as addressee for other outgoingmessages (recent activity score); (2) addressee is in general seldomselected for other outgoing messages (absolute activity score); (3)addressee has not been recently selected with other addressees on othermessages (recent or time weighted inconsistent addressee groupingscore); (4) addressee is in general seldom or never selected with otheraddressees on other messages (absolute inconsistent addressee groupingscore); (5) addressee is highly similar to one or more other addresseesin the database (similarity score); (6) addressee is designated assensitive or belongs to a sensitive category (sensitivity score); (7)addressee is seldom a source for received messages (time-weighted orabsolute incoming message activity score); (8) message includes one ormore keywords designated as sensitive (keyword score); (9) messageincludes one or more keywords that are inconsistent with addresseecategory, for example, emotive words such as “love,” “hate,” “hug,”etc., in a message to an addressee designated as a “customer” or“business prospect” (subject inconsistent with addressee categoryscore), or (10) message is prepared on a day of the week or other date,or time-of-day, that is inconsistent with past patterns of mail preparedfor an addressee of the message, such as a holiday message to an addressthat normally is mailed to only during work days. The foregoing factorsare merely exemplary, and serve to illustrate various factors that maybe used to develop a sophisticated estimate of a probability of error.Individual factors may be weighted and equalized to provide an overallerror estimate.

In response to estimating a probability of addressing error, the clientmay determine 107 whether or not user confirmation is needed before thesending the electronic message, by comparing the estimated probabilitywith a predetermined risk threshold. For example, the client maydetermine that user confirmation is required if the estimatedprobability of error exceeds some predetermined threshold, for example,2%.

At 108, if the client determines that user confirmation is required, theclient may cause a message to be displayed on a local display screen, orotherwise output to the user. User confirmation may be required, forexample, if any of the addressees of an message to be sent areidentified as having a relatively high probability of error. The messagemay identify and display to the client's user one or more reasons why aaddressee is identified as questionable, and warn each the user that shemay be sending a message to an unintended recipient. If none of theaddressees are identified as questionable, the client may transmit theelectronic mail to an outgoing mail server in a conventional fashion,without providing a warning message.

The client may, in addition, provide the user with an option to confirmthat the addressees are correct in association with an outgoing messagewarning. For example, if the client provides an outgoing message warningin a pop-up window, the window may include one or more controls enablingthe user a choice of confirming that the addressees are correctly named,or editing the electronic mail to correct the addressees. User input maytherefore be received 110 in response to the warning and request foruser confirmation or instructions. If the user confirms 112 that theaddressees are correct notwithstanding the warning, the client may sendthe electronic mail to the outgoing mail server for delivery to theoriginally named addressees. If the user does not confirm, the clientmay determine by eliciting further user input whether or not the userwants to edit the message addressees or other message parameters. If theuser chooses to edit the addressees, method 100 may resume again at 102after the addressees are corrected. If the user elects to not edit themessage, the message may be saved indefinitely 116, such as in a“drafts” folder, or simply deleted.

For pieces of mail that do not need confirmation or for whichconfirmatory user input is received, the client may determine 118whether or not the message should be held for a defined period beforemailing. For example, all messages to a designated addressee may be heldfor five minutes to reduce the risk of an inadvertent or prematuretransmission. If message parameters indicate that a piece of mail shouldbe held, it may be held for any suitable designated period. Otherwise,the piece of mail may be transmitted for electronic mail delivery 122 inany suitable manner. Likewise, after a designated holding periodexpires, respective mail is transmitted for delivery 122.

FIG. 2 is a block diagram illustrating a system 200 of prevention oferroneous addressing in an electronic mail client in accordance with thepresent disclosure. In an aspect, the system 200 may comprise a WideArea Network (WAN) 202, network host computer 204, multiple clients 206,a database server 208 and a database 210. The WAN may enableconnectivity between the network host computer 204, the multiple clients206, the database server 208 and the database 210. The network hostcomputer 204 may comprise a correlation application 212, which may beencoded on computer-readable media and configured for performing stepsillustrated in the flow diagram of FIG. 1. In the alternative, each ofthe multiple clients 206 may comprise a correlation program 214, whichmay also be encoded on computer-readable media and configured forperforming the steps illustrated in the flowchart of FIG. 1. In yetanother alternative, some of the steps illustrated in the flowchart of

FIG. 1 may be performed by the correlation application 212 and some ofthe steps illustrated in the flowchart of FIG. 1 may be performed by thecorrelation program 214. The database server 208 and attached database210 may be coupled to the network host computer 204 to store thedatabase entries used in the method illustrated in the flowchart ofFIG. 1. Alternatively, the database server 208 and/or database 210 maybe connected to the WAN 202 and may be operable to be accessed by thenetwork host computer 204 via the WAN 202.

The multiple clients 206 may each further comprise an internal hard disk216 for storing the correlation program 214, a processor 218 forexecuting the correlation program 214 and/or performing other backgroundtasks and an internal bus 220 for internally connecting the hard disk216 and the processor 218. The hard disk 216 may also be configured tostore the database entries used in the method illustrated in theflowchart of FIG. 1. The output of the method illustrated by theflowchart of FIG. 1, the message, may be displayed on the multipleclients 206 via a display 222 in accordance with the matching emailparameters.

In some embodiments, an electronic messaging client may be configured toperform method 100 or essential portions thereof, in accordance with theunderstanding that messaging is a function tied to personal messagingpreferences and history. The messaging client may be a remote or localclient. FIG. 3 shows exemplary components of a messaging client 300,consistent with the foregoing. Client 300 may comprise a microprocessoror controller 302 coupled via a bus or other connection to certaincomponents permitting the client to receive tangible input from a user,process the input to generate message data, and to display message dataon a display device 304 via a graphics subsystem 305. User input may bereceived via any suitable input device, including, for example, akeyboard 306, and mouse or other pointer 308, and a microphone 310.Another increasingly prevalent input device is a touchscreen 312 thatmay be integrated with display 304. All of these devices function totransform physical input from the user environment into electronic inputdata that can be processed by microprocessor 302. At least one device ofthis type is essential to the operation of a messaging system and clientas described herein. It should be apparent that a messaging system thatis unable to receive user input would be useless.

Other essential components of the messaging client 300 may include anetwork interface device 314 enabling communication with externaldevices via a network 316. Although a wide area network is commonly usedfor messaging, the technology is not limited to any particular type ofnetwork. The network merely needs to provide communication between theclient and at least one mail or messaging server. The client may includemultiple communication devices, for example, a wireless interface 318enabling communication to a wireless network or local wireless device,such as using cellular or Bluetooth™ technology.

Memory components are also essential to operation of the client device.A typical client may include more than one type of memory device. In theillustrated example, the client includes a flash memory device 320.Flash memory is a type of non-volatile memory that may be used to storecore applications, for example, an operating system, when the client ispowered off. These core applications may be automatically loaded intoprocessor working memory, for example, random access memory 322 (RAM),when the client is powered on. Many processors also include specializedcache memory designed to facilitate accelerated processing, which mayinteract with RAM to handle program instructions and data. The clientmay further comprise a large non-volatile storage device 324, forexample disk or solid-state storage comprising a computer-readablemedium. Program instructions 326 may be stored on storage device 324,loaded in RAM 322 and thereby cause the client to perform a method asdescribed herein, in response to user input. Message and other data mayalso be stored in the storage device 324, including but not limited toaddressee pattern data for determining addressee error risk factors.Client 300 may be housed in a housing of any desired size (not shown).

Having thus described embodiments of a method and system of preventionof erroneous addressing in an electronic messaging client, it should beapparent to those skilled in the art that certain advantages of thewithin system have been achieved. It should also be appreciated thatvarious modifications, adaptations, and alternative embodiments thereofmay be made within the scope and spirit of the present invention. Forexample, a system operable over a wide area network has beenillustrated, but it should be apparent that the inventive conceptsdescribed above would be equally applicable to systems operating overother networks. For further example, the present disclosure emphasizesaddress correction performed by a client, but the present technology mayalso be carried out by a messaging server, or by a server and a clientworking cooperatively, as discussed in connection with FIG. 2. Theinvention is defined by the appended claims.

What is claimed is:
 1. A method for preventing addressing errors in anelectronic messaging client, comprising: generating, using theelectronic messaging client comprising a processor in communication witha messaging server, a user interface to facilitate authoring ofelectronic messages in response to input from an input device inelectronic communication with the client; generating, in response toinput from the input device, at least two addressees for an outgoingmessage; for at least one combination of the at least two emailaddresses, querying a database to determine a frequency with which auser of the client has sent electronic messages addressed to both of theat least two addressees; determining whether the frequency exceeds apredetermined frequency; and where the frequency does not exceed thepredetermined frequency, delaying transmission of the outgoing messageto permit correction or verification of at least one addressee.
 2. Themethod of claim 1, further comprising, generating a confirmationmessage, in response to determining that the frequency does not exceedthe predetermined frequency.
 3. The method of claim 1, furthercomprising, suggesting at least one alternative addressee in response todetermining that the frequency does not exceed the predeterminedfrequency.
 4. The method of claim 1, further comprising, delayingtransmission of the outgoing message until input is received from theinput device indicating confirmation of at least one of the addressees.5. The method of claim 1, further comprising recording the time of day,day of week and/or holiday information for one or more of the electronicmessages and delaying transmission of the outgoing message if theoutgoing message is prepared at a time of day, day of the week orholiday that is inconsistent with past patterns for the addressees. 6.The method of claim 1, further comprising delaying transmission of theoutgoing massage if one or more of the addressees is similar to one ormore of other addressees in the database.
 7. A method for preventingaddressing errors in an electronic messaging client, comprising:generating, using an electronic messaging client comprising a processorin communication with a messaging server, a user interface to facilitateauthoring of electronic messages in response to input from an inputdevice in electronic communication with the client; searching within atleast one electronic message for the presence of at least one designatedterm; identifying at least one designated recipient of the electronicmessage; determining whether the combination of the recipient and theterm match warning criteria; where there is a match for the warningcriteria, presenting a confirmation request to the user of theelectronic messaging client; and not sending the electronic messageunless confirmation is received.
 8. The method of claim 7, wherein theat least one designated recipient is designated as sensitive by a userof the messaging client.
 9. The method of claim 7, wherein the at leastone designated recipient is in a sensitive category of recipients. 10.The method of claim 7, wherein the at least one designated term isinconsistent with a recipient category.
 11. The method of claim 7,wherein the at least one designated term is designated as sensitive.